T25#429 is now fixed (Google notified me on Feb 19, 2022, and I could verify it now). Thus, publishing the whole report.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Oct 29 2022
Jul 15 2022
Oct 24 2021
I just checked T25#429 hasn't been fixed yet, so I just sent a message in the Buganizer bug to state that.
Google sent the automatic "Our systems show that all the bugs we created based on your report have been fixed by the product team" message on Jul 3, 2021, so I'm marking this as verified.
Jun 26 2021
I'm marking this report as fixed since I've just checked that all the reproduction steps shared here don't work anymore (the endpoints seem to be properly protected now).
On Jun 15, 2021 I contacted Google:
Jun 15 2021
This has been fixed a long time ago by Google. Unrestricting access.
I just confirmed that the main vulnerability is fixed, while the one in comment T25#429 isn't.
Feb 20 2021
Google mentioned on Jan 7 that a bug report was filed based on my report, so I'm marking this issue as accepted.